AS‑REP Roasting, What is it and how to stop it

Written By Christopher Blackwell

Ever felt like your password policy is solid—then discovered attackers still found a loophole? Welcome to AS‑REP Roasting, one of those sneaky Kerberos tricks that can make even seasoned admins sweat. Here’s the low down, in everyday language.

So… What Is AS‑REP Roasting?

Think of Kerberos like a bouncer at a club. Normally, the bouncer (your Domain Controller) checks your ID (an encrypted timestamp) before handing you a wristband (a Ticket Granting Ticket, or TGT).
But some user accounts skip the ID check either because someone unchecked a box years ago or a legacy app demanded it. Attackers love those accounts, because the DC will hand over a TGT without a second glance. That’s AS‑REP Roasting.

How Attackers Pull It Off (in Three Quick Moves)

https://hacktricks.boitatech.com.br/windows/active-directory-methodology/asreproast#asreproast

  1. Find the easy targets – They hunt for accounts with “Do not require Kerberos pre‑authentication” switched on using tools such as Rubeus.

  2. Ask nicely – They send a polite AS‑REQ to the DC. “Hey, can I get a ticket for this user?”

  3. Crack it offline – The DC obliges, serving up an AS‑REP. Attackers take that encrypted blob home and brute‑force it using tools such as Hashcat until the password spills out.

Because all of this happens before any real authentication, your logs may stay fairly quiet—unless you’re watching the right events.

Why You Should Care (Yes, Even If You’re Busy)

Global cyber agencies rank AS‑REP Roasting among the top Active Directory threats. A single cracked password can snowball into domain admin rights, ransomware, and long nights for your team. Downtime, fines, frantic executives—you know the drill.

Four Practical Ways to Shut It Down

  1. Spot Vulnerable Accounts
    Open PowerShell and run:

    Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

    If any names show up, they’re on the naughty list.

  2. Turn Pre‑Auth Back On
    Flip that checkbox for every account you can. If an old system really needs it off, sandbox that account, no admin rights, no wide access, lots of logging.

3. Watch Your Logs Like a Hawk for these four AD Event IDs

  • 4625 – Failed logons

  • 4768 – TGT requests

  • 4738 / 5136 – Account changes
    Spikes here can mean someone’s roasting your AS‑REPs.

4. Strengthen Passwords (Still Matters!)

Long, complex passphrases (14+ chars) plus MFA make offline cracking painful. The harder the hash, the louder the attacker swears.

Bottom Line

AS‑REP Roasting isn’t exotic wizardry it’s a misconfiguration waiting to bite you. Patch the gaps, keep passwords tough, and monitor like someone’s livelihood depends on it (because it does).

Need a hand? HakSafe specializes in shoring up small‑business Active Directory before bad actors find the cracks.

Christopher Blackwell
Next

Chinese Hackers Targeting a Critical SAP NetWeaver Vulnerability